Hi,
I am trying to set up a IKEv2 VPN with iked(8), between an OpenBSD
firewall and a SonicWall one.
The VPN set up correctly as long as only one subnetwork is configured.
However, as soon as at least 2 subnets are configured, only one of them
operates.
Below is the OpenBSD side configuration:
ikev2 active esp \
from $local_network_1 to $remote_network_1 \
from $local_network_1 to $remote_network_2 \
peer $remote_peer \
ikesa auth xxx enc xxx group xxx \
childsa auth xxx enc xxx \
srcid $local_ip \
ikelifetime xxx lifetime xxx \
psk "xxxxxxx"
The same configuration is done on the other side, adapted for the
SonicWall.
With only the line `from $local_network_vlan1 to $remote_networks_1`,
the VPN goes up and the communication works correctly between the 2
subnets. The problem appears as soon as a second subnetwork is added to
the configuration, by adding `from $local_network_vlan2 to
$remote_networks_2`. There, the communication no longer works between
local_network_1 and remote_network_1, but works between local_network_1
and the added remote_network_2.
The problem is the same if, instead of setting up 2 remote subnets with
only 1 local subnetwork, I set up 2 local subnetworks with 1 remote
subnetwork, or even 2 local subnetworks with 2 remote subnets.
The logs do not indicate anything particular.
The problem seems to come from the OpenBSD side, since I also found it
with another manufacturer on the other side, and the SonicWall has
several VPNs configured in this way without any problems. It also seems
to be specific to IKEv2 or iked(8), since we have this type of
configuration with isakmpd(8) without any problem.
Knowing that it is not possible to run iked(8) and isakmpd(8) at the
same time to use IKE with this client, I would be very grateful if
anybody could help me find out what is happening.
Thank you !
--
Jeremy
